* conntrack can't update mark on icmp connection
@ 2012-02-13 22:16 abirvalg
2012-03-23 1:11 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: abirvalg @ 2012-02-13 22:16 UTC (permalink / raw)
To: netfilter-devel
Hello,
As root I try to set marks on all packets originating from my machine with
conntrack -U -s 192.168.1.114 --mark 10
It does set marks on some udp connections but ignores the icmp one.
Upon the issue of this command it lists all updated udp connections with mark=10 and \
eventually gives
...
conntrack v0.9.14 (conntrack-tools): Operation failed: invalid parameters
After that conntrack -L shows that all udp connections that preceed in the list the icmp one \
where updated, but the icmp connection and all udp connections following it in the \
list were not updated. Seems like conntrack choked on icmp.
Could you please help me.
uname -a
Linux 2.6.35-30-generic #60-Ubuntu SMP Mon Sep 19 20:45:08 UTC 2011 i686 \
GNU/Linux
P.S.
Please CC me when replying.
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: conntrack can't update mark on icmp connection
2012-02-13 22:16 conntrack can't update mark on icmp connection abirvalg
@ 2012-03-23 1:11 ` Pablo Neira Ayuso
0 siblings, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2012-03-23 1:11 UTC (permalink / raw)
To: abirvalg; +Cc: netfilter-devel
On Tue, Feb 14, 2012 at 12:16:44AM +0200, abirvalg@lavabit.com wrote:
> Hello,
> As root I try to set marks on all packets originating from my machine with
>
> conntrack -U -s 192.168.1.114 --mark 10
>
> It does set marks on some udp connections but ignores the icmp one.
> Upon the issue of this command it lists all updated udp connections with mark=10 and \
> eventually gives
> ...
> conntrack v0.9.14 (conntrack-tools): Operation failed: invalid parameters
>
> After that conntrack -L shows that all udp connections that preceed in the list the icmp one \
> where updated, but the icmp connection and all udp connections following it in the \
> list were not updated. Seems like conntrack choked on icmp.
>
> Could you please help me.
> uname -a
> Linux 2.6.35-30-generic #60-Ubuntu SMP Mon Sep 19 20:45:08 UTC 2011 i686 \
> GNU/Linux
The problem seems to be in libnetfilter_conntrack.
I have pushed the following patch, it seems to resolve the issue here
for me.
commit 3a39278a56d12ad13a41973cd0b50238206f11ef
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri Mar 23 02:07:41 2012 +0100
conntrack: fix wrong building of ICMP reply tuple
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: conntrack can't update mark on icmp connection
@ 2012-03-20 15:35 abirvalg
0 siblings, 0 replies; 3+ messages in thread
From: abirvalg @ 2012-03-20 15:35 UTC (permalink / raw)
To: netfilter-devel
Sorry to bump this thread. I just think it warrants attention.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-03-23 1:11 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-02-13 22:16 conntrack can't update mark on icmp connection abirvalg
2012-03-23 1:11 ` Pablo Neira Ayuso
-- strict thread matches above, loose matches on Subject: below --
2012-03-20 15:35 abirvalg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).